Wednesday, February 04, 2009

Tonight DotNetOpenId, soon to be renamed DotNetOpenAuth, released beta 1 of the major v3.0 release. You can download the bits from Ohloh. Although downloads should remember that as a beta this version should not be used in production, there are several new features that should be worth investigating and building a web application around while the final release is still in development:

RP+OP: Exceptions are now much more predictable: the host need only catch ProtocolException to handle all unexpected error cases.

RP+OP: OpenID extensions without simultaneous authentication.

RP: Signed callback arguments so relying parties can be confident their data was not tampered with during authentication.

RP: Smaller authentication request messages (shorter URLs).

OP: Ability to customize the lifetimes of each shared association type for added security.

Over 400 unit tests (150+ more than previous version).

The biggest addition is obviously OAuth support, which is an entirely new protocol that actually has little-to-nothing to do with OpenID, except that they work great together. To do this the entire library was rewritten on a new reusable messaging stack that both the OpenID and OAuth protocols share.

Also keep in mind that with the product rename, the namespace has changed, and a little bit of the public API as well. This means that this version is not simply a drop-in replacement for DotNetOpenId v2.0, and host sites will have to adjust their code accordingly.

But as always, your feedback and donations for this free, open source software are appreciated!

2 comments:

That's not fully determined. At this point, whether the namespace is all that a relying party needs to change for the upgrade depends on how much of the public API the site touches. A better, more comprehensive write-up will hopefully be ready when the final version is released.